The use of one-time passwords (OTP) as a second factor of authentication is growing in popularity, but some experts warn if they are not deployed smartly, they could actually leave organizations less secure than if they had not used an OTP at all. Some critics point to Facebook's deployment of OTP, announced last week, as a prime example.

Facebook announced to users that they now have the option of texting "otp" to 32665 from any U.S. mobile phone to receive an OTP via SMS that is good for 20 minutes of log-in time to their Facebook account. The idea is to use an OTP when on a computer they don't trust.

"It could be argued Facebook's option makes your account less secure. If you walk away from your computer or leave your phone unlocked while logged in to Facebook, I could access your account and change the cell phone to one I control," says Chet Wisniewski, senior security adviser at Sophos, who adds that most people don't password-protect their phones and, as a body, we're very prone to losing phones here in the U.S.

"Now I have remote access any time I like, and you are unlikely to be aware. It concerns me that Facebook touts this as a 'safe' way to use computers in libraries, cyber cafýs, and airports when you are exposing all of your Facebook information to the malware that is likely on those computers," he says.

According to Rachael Stockton, principal product marketing manager for RSA, not all OTP methods are created equal.  "Some methods are more secure than others. SMS is easier to crack than some other authentication methods," she says. "Hardware and software OTPs are generally regarded as stronger than SMS-delivered OTP, but all should play a part in a layered approach to protection, including risk-based authentication."

As you balance your options, Stockton suggests the decision matrix should factor in required security level, the value of the information needing protection, convenience to the end users, and the cost of the OTP form factor.

Organizations deploying OTP should consider offering more than one OTP form factor, she says. "When organizations are deploying OTP to a diverse user base, they need to consider offering a choice of authentication form factors and methods, as one size does not fit all," Stockton says. "SMS may be convenient for some, but not if your phone is often out of range. Also, they need to consider the myriad of applications they need to support, now and in the future, and ensure their solution will be able to integrate them."

Also, regardless of what kind of OTP or how big the organization is, OTP is just one part of the ecosystem for securing machines and accounts.

"Finally, whether a company is deploying OTP to large or small organizations, they need systems with strong administrative controls due to the importance of provisioning, managing, reporting, and auditing these critical business assets," Stockton says.

Sophos' Wisniewski believes OTP should definitely play a part in the progression toward better authentication practices, but at the same time it is hardly a security panacea.

"Multifactor authentication is a great way to secure trusted computers and better secure remote access to networks," he says. "It does not solve all problems, but it does solve the problem of passwords being brute-forced and passwords being shared."

"Multifactor authentication does not solve the problem of data-stealing malware ferrying information to criminals in cyberspace. Whether you log in using your regular password or an OTP is irrelevant if the computer being used is infected with malware," Wisniewski says.

"Once a computer has been compromised, you may have protected your password through the use of an OTP, but all data you are accessing or entering is still vulnerable. If a system is important enough that you need to access it remotely and you are willing to deploy additional authentication methods, then the data being accessed is likely far too important to risk your data being captured by malicious software."